CVE-2024-42051 is a local privilege escalation vulnerability identified in the MSI installer component of Splashtop Streamer for Windows versions before 3.6.2.0. The root cause lies in the installer’s use of a temporary folder with weak access permissions during the installation process. Specifically, the installer creates or uses a temporary directory where it places the InstRegExp.reg file, which is critical for registry configuration. Due to insufficient permission controls, a local attacker with limited privileges can replace or tamper with this file before or during installation. By substituting InstRegExp.reg with a maliciously crafted file, the attacker can escalate their privileges to SYSTEM level, gaining full control over the affected machine. This vulnerability does not require user interaction beyond local access and can be exploited with low complexity, as indicated by the CVSS vector (Attack Complexity: Low, Attack Vector: Local, Privileges Required: Low, User Interaction: None). The impact on confidentiality, integrity, and availability is high because SYSTEM-level access allows complete system compromise. Although no public exploits are currently known, the vulnerability’s characteristics make it a significant risk in environments where local user accounts exist with limited restrictions. The CWE-1391 classification highlights improper permissions on temporary files or directories as the underlying weakness. The vulnerability was published on July 28, 2024, and affects all versions prior to 3.6.2.0, though exact affected versions are not enumerated. No official patches were linked at the time of reporting, emphasizing the need for immediate mitigation.

The primary impact of CVE-2024-42051 is the potential for local attackers to escalate privileges to SYSTEM on Windows machines running vulnerable versions of Splashtop Streamer. SYSTEM-level access effectively grants full control over the affected system, enabling attackers to install malware, exfiltrate sensitive data, modify system configurations, or disrupt operations. This can lead to severe confidentiality breaches, integrity violations, and availability disruptions. In enterprise environments where Splashtop Streamer is deployed for remote access and support, exploitation could facilitate lateral movement and persistence within networks. Organizations with multiple users having local access to endpoints are particularly vulnerable. The vulnerability also increases the attack surface for insider threats or compromised accounts with limited privileges. Given the widespread use of Splashtop Streamer in corporate, educational, and government sectors, the potential for significant operational and reputational damage is considerable if exploited. Although no known exploits are currently in the wild, the ease of exploitation and high impact warrant urgent attention.

1. Immediately restrict local user permissions on systems running Splashtop Streamer to prevent unauthorized access to installation temporary directories. 2. Monitor and audit temporary folders used during MSI installations for unauthorized file modifications, particularly focusing on InstRegExp.reg. 3. Apply the vendor’s patch or update to Splashtop Streamer version 3.6.2.0 or later as soon as it becomes available. 4. If patching is not immediately possible, consider deploying application whitelisting or endpoint protection solutions that can detect or block unauthorized file replacements during installation. 5. Educate system administrators and users about the risks of local privilege escalation and enforce the principle of least privilege to minimize the number of users with local access. 6. Use Group Policy or other configuration management tools to harden permissions on temporary directories and restrict write access to trusted accounts only. 7. Regularly review and update endpoint security policies to detect anomalous behavior indicative of privilege escalation attempts. 8. In environments with high security requirements, consider isolating or limiting the use of Splashtop Streamer until the vulnerability is remediated.